SEC Director Clarifies Cybersecurity Disclosure Rules

Director of the SEC Division of Corporation Finance Erik Gerding highlighted the rationale and mechanics behind the SEC's new rules on disclosure of cybersecurity policies and related incidents.

In a published statement, Director Gerding emphasized that cybersecurity risks have increased as a consequence of remote work and reliance on electronic systems. Based on the market participant comments received, he said that the final rule is far less prescriptive than the original proposal. He noted that the final rule removed the proposed requirement that companies disclose whether their Boards of Directors include individuals with cybersecurity expertise.

He also clarified that the final rule no longer requires certain specific details about cybersecurity policies and procedures, but rather requires more general disclosure about the company's cybersecurity processes. This, he said, addressed a key concern that highly detailed disclosure of policies and procedures could be exploited by cyber criminals. He said that the SEC also responded to investor concerns that the rule needs to be consistent and comparable with other disclosures to better evaluate risk. Mr. Gerding explained that the new rules require that disclosure be centered on the material impacts of cyber events. He clarified that the deadline for making such disclosure is four business days following the determination that the incident was material - not four business days from the discovery of the incident itself, "so long as it does not unreasonably delay its internal processes for determining materiality."